Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:38 PM
Connect Directly

Integrating WAFs And Vulnerability Scanners

Sharing vulnerability scanning data with a WAF could expedite shielding Web apps from newly discovered flaws, but it also opens the door for false positives

An industry effort to integrate Web application firewalls (WAFs) with vulnerability scanning tools never got off the ground when it was first launched five years ago, but today the idea of blending the two tools is generating interest -- and debate -- once again. More mature vulnerability scanners that are less false-positive prone and more advanced WAFs, along with PCI compliance pressures and increasing Web threats, have prompted some security experts and enterprises to consider how the tools could better share information about -- and mitigate -- attacks and risks to their Web applications.

"We're starting to see vendors talking about levels of integration," says Neil MacDonald, vice president and Gartner fellow.

Art of Defence, Breach Security, and WhiteHat Security, for example, are among the security vendors offering some early form of WAF-application scanning integration. Art of Defence, for instance, allows users to plug vulnerability scan data into its Hyperguard WAF and automatically generate new rule sets, while WhiteHat uses a mix of vulnerability scanning, WAF tools, and manpower with its vulnerability management service offerings.

Blending vulnerability scanning and WAFs works well for service providers like WhiteHat Security, according to MacDonald, because they employ both tools and people to handle vulnerability assessments and fixes. "The reason this model is working well for some customers is because WhiteHat uses humans and automation to find vulnerabilities," MacDonald says. "By the time the vulnerabilities are determined, they are highly specific and less prone to false positives because they have the human element on the back-end of the testing services.

"That's why WhiteHat is pioneering [this]. It's not an application scanning tool, but a service using a combination of tools and humans to create very specific vulnerability information."

WAFs traditionally have been used for identifying and blocking attacks, as well as alerting the appropriate IT staff and vulnerability scanners, to find vulnerabilities and flaws in the Web apps. "They are mainly looking for two different things," says Ryan Barnett, director of application research at Breach Security, which integrates its WAF with WhiteHat's vulnerability management services. "There is a little overlap...[Breach's WAF] looks at application integrity or defects and misconfigurations," he says.

The main advantage of importing vulnerability scan data into a WAF is it gives the organization more information and insight about when and where to block Web traffic, he says.

But not everyone is sold on integrating WAFs and vulnerability scanners -- especially if it means automating their interactions. "Combining them doesn't help you identify more problems or reduce false positives. It just provides you with the ammo to get from the, 'I identified a problem' stage to the, 'I am no longer vulnerable' stage," says Arshan Dabirsiaghi, director of research for Aspect Security and developer of the ESAPI WAF, a new open-source Web application firewall. "Making this process automatic would be quite dangerous since tools unfortunately find lots of vulnerabilities where there are none, and this would mean a ton of 'patches' to nonexistent vulnerabilities, which would then create some seriously unpredictable behavior."

Georg Hess, founder and CEO of Art of Defence, says his customers are asking for the two tools to be integrated. The company's Hyperguard WAF lets users plug vulnerability scanner findings into it to automatically create new rule sets and defenses. Hyperguard is also integrated with Virtual Forge's SAP vulnerability scanner.

"The decision to not build scanning right into Hyperguard was on purpose. We didn't want to force customers into a vendor-lock situation by integrating vulnerability scanning into our dWAF. We've found that most customers have their own scanners, and they are comfortable with them and would rather not change," he says. "We do have a scanner module as an optional solution if a customer needs one, but most already have one in place and would prefer not to change."

With the long-defunct effort by OASIS to establish a standard for WAFs and application vulnerability scanners to share data, it likely will come down to each of the vendors sharing APIs. Another hurdle to getting WAFs and scanners to work together is the fact that the two tools are typically purchased and run by different groups within an enterprise. "Vulnerability scanners are usually with the infosec team, and WAFs with the operations/network security team," Breach's Barnett says.

Breach's WebDefend has a feature called Change Detection that's a precursor to this type of cooperation. When a Web application gets a new feature, such as a Feedback page, for instance, the team doing vulnerability scanning may not know. "We can flag that and do a policy that emails the infosec team to know an app changed if they want to kick off a scan," he says."This would be more targeted...the idea of sharing between the tools makes things more efficient."

And integrating vulnerability scanning data with a WAF would narrow the window between finding vulnerability and creating a so-called virtual patch for the application, or a "shield," experts say.

Gartner's MacDonald says his clients are asking about integration when they evaluate WAFs and vulnerability scanners. But it's not something widely available at this point that they can buy, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session ...
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could ex...
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device. The vulnerability is due to incorrect permissions settings on affected DCNM software. An attacker...
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software...
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.